NIST SP 800-115 Technical Guide to Information Security Testing and Assessment offers guidance on conducting security assessments from the NIST Computer Security Resource Center.


NIST's Computer Security Resource Center (CSRC) distributes NIST Special Publication 800-115 titled "Technical Guide to Information Security Testing and Assessment." NIST SP 800-115 provides guidance on selecting and implementing security testing techniques, including penetration testing.

Key Points

  • Review Techniques: passively examine systems, applications, networks, policies, and procedures to discover security vulnerabilities using techniques such as documentation, log, ruleset, and system configuration review; network sniffing; and file integrity checking.

  • Target Identification and Analysis Techniques: focuses on identifying active devices and their associated ports and services, and analyzing them for potential vulnerabilities. The identification and analysis techniques used include network discovery, network port and service identification, vulnerability scanning, and wireless scanning.

  • Target Vulnerability Validation Techniques: uses information produced from target identification and analysis to further explore the existence of potential vulnerabilities using techniques such as password cracking, penetration testing, and social engineering.

  • Security Assessment Planning: provides guidance on creating an assessment policy, prioritizing and scheduling assessments, selecting the appropriate assessment approach, and addressing logistical considerations.

  • Security Assessment Execution: vulnerabilities are identified by the methods and techniques decided upon in the planning phase and identified in the assessment plan. The purpose of this section is to highlight key points for assessors to consider throughout the execution phase.

  • Post-Testing Activities: This section presents ways that organizations can translate their findings into actions that will improve security including through mitigation recommendations, reporting, and remediation.


Last updated